Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Using Secret Manager to hold cloudfront public key

-1

Hi, I was trying to use the CDK to initialize my cloudfront distribution. I wanted to move away from hard coding secrets in my CDK file and my cloudfront lambda, so I thought it'd be best to put both the public key and private key into the AWS secret manager, and then read them out from there. Here is how I am trying to set up the cloudfront distribution.

            cf_public_key=sm.Secret.from_secret_complete_arn(self, "CFPublicKey", "arn:aws:secretsmanager:us-west-2:<ARN>")
            cf_public_key_value=cf_public_key.secret_value_from_json("CFPublicKey").unsafe_unwrap()
            pub_key=cloudfront.PublicKey(self, "PubKey", encoded_key=cf_public_key_value)
            key_group=cloudfront.KeyGroup(self, "KeyGroup", items=[pub_key])

This fails during deployment... Should I put the public key in SSM parameter store instead, and the keep the private key in secret manager? Thx

  • Gary Mclean ESPERTO
    10 mesi fa

    What’s the error you are receiving?

  • rrrpdx
    10 mesi fa

    Here was the errror:

    11:17:16 PM | UPDATE_FAILED | AWS::CloudFront::PublicKey | PubKeyB78B0EBC Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey" (RequestToken: 1f556dd6-614f-f8c3-43c2 -5c86ae9db53a, HandlerErrorCode: InvalidRequest)

Argomenti
ServerlessComputazionaliNetworking e distribuzione di contenutiSicurezza, identità e conformitàGestione e amministrazioneKit di sviluppo cloud AWS (CDK)
Tag
AWS LambdaAmazon CloudFrontGestore AWS SecretsMemorizzazione dei parametriKit di sviluppo cloud AWS (CDK)
Lingua
English
rrrpdx
posta 10 mesi fa772 visualizzazioni
2 Risposte
0

Hi, this blog post gives you all detailled information about what you want to achieve and how to implement it: https://aws.amazon.com/blogs/networking-and-content-delivery/securing-and-accessing-secrets-from-lambdaedge-using-aws-secrets-manager/

profile pictureAWS
ESPERTO
Didier_Durand
con risposta 10 mesi fa
0

I think my issue may revolve around how to properly store the key in the secrets manager... Initially, I had the public key hardcoded in a python string and it was of the form:

public_key="-----BEGIN PUBLIC KEY----- \n...\n...\n...\n...\n...\n ...\n...\n-----END PUBLIC KEY-----"

where I had to insert \n newlines at the end of every line as I copied it from the .pem file. The hardcoded string works with the CDK. I tried placing this exact format in secrets manager and it didn't work (with the above error)... I also tried this format with SSM Parameter store, and it did not work... With SSM Parameter store, I was able to go back and paste the key in as a multiline string (where the breaks are seen at the end of each line)... If I try to do this in secrets manager, the line breaks are converted to spaces, and the key is no longer valid. I believe when i removed the spaces, the key also does not work.

rrrpdx
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente